* OTA does not work with IMA due to xattr not supported by zip
@ 2019-01-08 1:26 rishi gupta
2019-01-08 20:58 ` Mimi Zohar
0 siblings, 1 reply; 6+ messages in thread
From: rishi gupta @ 2019-01-08 1:26 UTC (permalink / raw)
To: linux-integrity
Hi Team,
Android and android recovery based implementation for Linux, generates
ota package which is a zipped archive.
I observed that xattr gets dropped when creating zip archive and
therefore after OTA system will not boot if IMA_APPRAISE_SIGNED_INIT
is used.
This essentially means that IMA may not be used in commercial products
requiring OTA or I missed something or there is a workaround to such
problem.
https://source.android.com/devices/tech/ota/tools
Regards,
Rishi
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: OTA does not work with IMA due to xattr not supported by zip
2019-01-08 1:26 OTA does not work with IMA due to xattr not supported by zip rishi gupta
@ 2019-01-08 20:58 ` Mimi Zohar
2019-01-10 6:46 ` rishi gupta
0 siblings, 1 reply; 6+ messages in thread
From: Mimi Zohar @ 2019-01-08 20:58 UTC (permalink / raw)
To: rishi gupta, linux-integrity
On Tue, 2019-01-08 at 06:56 +0530, rishi gupta wrote:
> Hi Team,
>
> Android and android recovery based implementation for Linux, generates
> ota package which is a zipped archive.
>
> I observed that xattr gets dropped when creating zip archive and
> therefore after OTA system will not boot if IMA_APPRAISE_SIGNED_INIT
> is used.
>
> This essentially means that IMA may not be used in commercial products
> requiring OTA or I missed something or there is a workaround to such
> problem.
>
> https://source.android.com/devices/tech/ota/tools
Ok. Some applications support xattrs (eg. RPM, tar); others don't
(eg. Debian packages, CPIO/initramfs). We worked with the RPM
community to add xattr support. Multiple attempts have been made to
add xattr support to Debian packages.
Mimi
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: OTA does not work with IMA due to xattr not supported by zip
2019-01-08 20:58 ` Mimi Zohar
@ 2019-01-10 6:46 ` rishi gupta
2019-01-10 16:18 ` Mimi Zohar
2019-01-10 18:20 ` Matthew Garrett
0 siblings, 2 replies; 6+ messages in thread
From: rishi gupta @ 2019-01-10 6:46 UTC (permalink / raw)
To: Mimi Zohar; +Cc: linux-integrity
Thanks Mimi. Any plan for zip archive format support.
Also when using EVM, the files has to be signed on target. So after
new files has been flashed on device during OTA, does private key also
needs to be present on system.
On Wed, Jan 9, 2019 at 2:28 AM Mimi Zohar <zohar@linux.ibm.com> wrote:
>
> On Tue, 2019-01-08 at 06:56 +0530, rishi gupta wrote:
> > Hi Team,
> >
> > Android and android recovery based implementation for Linux, generates
> > ota package which is a zipped archive.
> >
> > I observed that xattr gets dropped when creating zip archive and
> > therefore after OTA system will not boot if IMA_APPRAISE_SIGNED_INIT
> > is used.
> >
> > This essentially means that IMA may not be used in commercial products
> > requiring OTA or I missed something or there is a workaround to such
> > problem.
> >
> > https://source.android.com/devices/tech/ota/tools
>
> Ok. Some applications support xattrs (eg. RPM, tar); others don't
> (eg. Debian packages, CPIO/initramfs). We worked with the RPM
> community to add xattr support. Multiple attempts have been made to
> add xattr support to Debian packages.
>
> Mimi
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: OTA does not work with IMA due to xattr not supported by zip
2019-01-10 6:46 ` rishi gupta
@ 2019-01-10 16:18 ` Mimi Zohar
2019-01-10 18:20 ` Matthew Garrett
1 sibling, 0 replies; 6+ messages in thread
From: Mimi Zohar @ 2019-01-10 16:18 UTC (permalink / raw)
To: rishi gupta; +Cc: linux-integrity, Dmitry Kasatkin
On Thu, 2019-01-10 at 12:16 +0530, rishi gupta wrote:
> Thanks Mimi. Any plan for zip archive format support.
Are you offering?
> Also when using EVM, the files has to be signed on target. So after
> new files has been flashed on device during OTA, does private key also
> needs to be present on system.
Perhaps someone with Android experience could respond. Dmitry?
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: OTA does not work with IMA due to xattr not supported by zip
2019-01-10 6:46 ` rishi gupta
2019-01-10 16:18 ` Mimi Zohar
@ 2019-01-10 18:20 ` Matthew Garrett
2019-01-13 10:58 ` rishi gupta
1 sibling, 1 reply; 6+ messages in thread
From: Matthew Garrett @ 2019-01-10 18:20 UTC (permalink / raw)
To: rishi gupta; +Cc: Mimi Zohar, linux-integrity
On Wed, Jan 9, 2019 at 10:47 PM rishi gupta <gupt21@gmail.com> wrote:
>
> Thanks Mimi. Any plan for zip archive format support.
> Also when using EVM, the files has to be signed on target. So after
> new files has been flashed on device during OTA, does private key also
> needs to be present on system.
This is what the portable EVM format is for - it allows EVM signatures
to be generated remotely and shipped as part of a package.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: OTA does not work with IMA due to xattr not supported by zip
2019-01-10 18:20 ` Matthew Garrett
@ 2019-01-13 10:58 ` rishi gupta
0 siblings, 0 replies; 6+ messages in thread
From: rishi gupta @ 2019-01-13 10:58 UTC (permalink / raw)
To: Matthew Garrett; +Cc: Mimi Zohar, linux-integrity
Thanks Mimi, I am asking if integrity team is working with zip
community like the RPM. I will have a look at zip code to see if it is
in my capacity to add xattr support or not. A possible solution looks
like replacing zip with tar in OTA solution.
Thanks Matthew, I am at lower version of kernel therefore portable evm
may not be taken in as of now. I will backport it possibly.
On Thu, Jan 10, 2019 at 11:50 PM Matthew Garrett <mjg59@google.com> wrote:
>
> On Wed, Jan 9, 2019 at 10:47 PM rishi gupta <gupt21@gmail.com> wrote:
> >
> > Thanks Mimi. Any plan for zip archive format support.
> > Also when using EVM, the files has to be signed on target. So after
> > new files has been flashed on device during OTA, does private key also
> > needs to be present on system.
>
> This is what the portable EVM format is for - it allows EVM signatures
> to be generated remotely and shipped as part of a package.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-01-13 10:58 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-08 1:26 OTA does not work with IMA due to xattr not supported by zip rishi gupta
2019-01-08 20:58 ` Mimi Zohar
2019-01-10 6:46 ` rishi gupta
2019-01-10 16:18 ` Mimi Zohar
2019-01-10 18:20 ` Matthew Garrett
2019-01-13 10:58 ` rishi gupta
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).